Cyber liability insurance is a relatively new field, but it’s growing rapidly, with almost half of UK businesses having secured some kind of coverage for damage or losses that occur as a result of a cyber incident. Although many security solutions are highly effective nowadays, there is never a 100% guarantee of protection, which is what makes insurance so important for organisations to invest in.
As of late, however, premiums have risen dramatically, which may be a concern for businesses, especially SMEs that will not necessarily have the budget to afford a new policy.
If you’re thinking “I’d rather run the risk of an attack than pay my insurance premium” you’re likely not the only one, but despite the rise in cost, cyber insurance is still high in demand - and for good reason.
In this article, we take a look at why premiums are so high and how businesses can improve the strength of their cyber protection, to either lower the cost of insurance or at least remain as secure as possible in its absence.
What is Cyber Insurance and is it Worth it?
When it first came about, cyber insurance was just included as part of general liability covers for companies, designed to offer some sort of protection against cyber risks, but over the years it has increasingly become sold as a standalone product.
With cyber attacks now more sophisticated than ever, the cyber insurance market has grown dramatically and it is now thought to be much better practice to purchase a policy in its own right as opposed to what would otherwise just be an extension to a general business insurance policy. These combined policies just do not offer the kind of comprehensive coverage needed to tackle a cyber incident.
Market-leading specialist insurance provider Cyber Covered explains:
“In our experience, a lot of businesses feel they're adequately protected until a cyber incident occurs. We like to compare cyber & data cover to home insurance - even though you have locks, security systems, and fire alarms, you still protect yourself with a property and contents policy. Similarly, cyber insurance offers that final layer of risk management on top of security software, firewalls and cyber training."
Some of the most common industries investing in cyber insurance today include Oil & Energy, IT/Technology and financial services, but the impact of a cyber attack can be extremely serious for companies in all sectors, with potential for financial, reputational and legal repercussions. Cyber insurance acts as a safety net so your disaster recovery can be a lot smoother and normal business operations can resume swiftly.
While coverage can vary, cyber liability insurance might include:
- Data and privacy liability
- Cyber extortion
- Monetary losses
- PR costs
- Legal costs
- Business interruption costs
- GDPR support
- Operator error
In truth, any business that is handling data electronically will likely benefit from insurance. Unfortunately, it’s hard to know just how heavily impacted your business could be by a cyber incident, but if not armed to deal with the unforeseen costs with a good insurance policy, your business could struggle to overcome the attack.
Why is it So Expensive Now?
In the last couple of years, the cost of insurance policies has risen dramatically, in line with the surge of cyber attacks we’ve seen on businesses across all sectors. In one year from 2020 to 2021, the median for excess insurance prices was believed to have increased by 123%, so it’s not surprising that people are starting to weigh up that investment with the risk of being the victim of an attack.
Why the rise?
Well, there has been a big issue with ransomware attacks over the last few years that has involved lots of insurance providers having to stomach some hefty payouts (though paying the ransom is still advised against by most security experts).
On top of this, supply chain attacks have also been at large (just look at SolarWinds and Kaseya), which have had some disastrous, and expensive, consequences. In fact, one Sophos report revealed the average cost of business recovery in 2021 was $1.85m, up $761,106 the year before.
The pandemic caused security to suffer too, forcing the majority of businesses to make a quick change to a remote working environment, one they were not prepared for. Trying to encourage good cyber security hygiene within a workforce is a challenge at the best of times, but managing this with all employees working from home was an entirely new feat.
Companies are still not prioritising cyber security as much as they should be, exposing themselves to hackers. One report found that the average time for companies to fix severe vulnerabilities is 256 days! This widespread lack of security awareness has unfortunately likely contributed to the frequency of cyber incidents and by extension the necessary rise in insurance policy costs.
“It is vital that every organisation take cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk. No matter how big or small your organisation is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online.”
- Julia Lopez, Cyber Minister
What are Cyber Insurance providers looking for?
The cost of cyber insurance usually depends on a few different factors, such as company revenue, the data it holds, and its security posture. Insurance providers are now more heavily scrutinising risk management strategies when filing insurance claims so it is in every organisation’s best interest to ensure they have considered their assets and are able to demonstrate solid attempts to secure them sufficiently.
With credential harvesting still one of the most common attack vectors (resulting in 61% of attacks last year), many providers are now requiring businesses to have employed multi-factor authentication. This additional layer of security can be a huge help in validating users and keeping out bad actors.
Alongside MFA, there are several security measures that companies can implement which will help your chances of lowering insurance premiums, getting your insurance claim approved and improving the security health of your organisation.
Cyber Training: showing that you are actively encouraging cyber security awareness and best practices in your workforce.
Strong Firewalls: Firewalls that are active and regularly updated to protect against common malware attacks.
Good Patch Management: Ensuring all software and devices are updated with security patches when they are released to avoid vulnerabilities surfacing.
Data Encryption: Encrypting data in transfer to prevent it from being intercepted by bad actors. This is particularly important for homeworkers.
Incident Response Plan: Having a good incident response plan with a clear process mapped out and where responsibilities lie.
Monitoring and Maintenance: Cyber threats evolve so you can’t assume your organisation will be secure after checking once. Doing regular security audits and vulnerability assessments will show you are keeping an eye out for any new issues and doing your utmost to protect your company from attacks.
There is no real end to a list like this as there is always something more you can do to improve your organisation’s security, but ensuring you have the fundamentals covered will make you look 10x better in the eyes of an insurance provider.
Aligning with recognised frameworks designed to help you implement these fundamentals can be really helpful for businesses, particularly SMEs that may not have access to a wealth of IT support. Cyber Essentials is the Government standard for cyber security in the UK and its controls are perfectly suited to help your business meet the above recommendations. What’s more, a basic cyber insurance policy with coverage of 25k is actually earned alongside your Cyber Essentials certification, so it is a great start for those yet to invest in insurance against cyber risks.
Ultimately, it is in every business's best interest to implement these security fundamentals and you’ll have a much better chance of paying a lower premium. Your insurer and you want the same thing after all - for your business not to be the victim of a cyber attack!
I Still Don’t Think I Have the Budget for Cyber Insurance
The increase in cost may still be too much of a stretch for many businesses, but even just achieving Cyber Essentials and building secure foundations for your business will massively boost your organisation’s defence and for a much more affordable price. Plus, you’ll get the 25k free cyber insurance, so this is far better than not doing anything at all and hoping for the best that you won’t experience an attack. It is this mentality that has sadly put a lot of smaller companies out of business.
So, focus on improved cyber hygiene first and foremost and if you can budget for cyber insurance it will always be worth the peace of mind and financial security, but if it isn’t feasible for your business at present, at least you will know you’re doing all you can to maintain a secure environment and significantly reduce your risk.
To find out more about cyber insurance for your business, get in touch for a complimentary consultation with our specialist insurance partners.